YODA
The bill gives individuals ownership over their data, limits collection and monetization, and requires strong rights to access, delete, and port data with clear consent.
The bill gives individuals ownership over their data, limits collection and monetization, and requires strong rights to access, delete, and port data with clear consent.
Proposed by: Rep. Michael Cloud
Status: Introduced May 4, 2026; referred to the House Committee on Energy and Commerce
Purpose and Intent
- The bill seeks to affirm that individuals own the data they generate and restricts entities from forcing data transfer or monetization in exchange for services.
- It aims to prohibit collection of third-party contact information without written consent and to impose broader protections around data access, control, and removal.
- Overall goal: strengthen privacy and data ownership rights for U.S. users, with emphasis on limiting data collection, sharing, and monetization by covered entities.
Key Provisions and Changes
1) Definitions and Scope
- Establishes definitions for terms including:
- Commercial data operator
- Large online operator
- Covered data (includes location, contact details, personal identifiers, web/app usage, biometric data, call records, etc.)
- Data broker
- Monetization
- De-identify and Delete
- User, Covered Entity, Commission (FTC)
2) Prohibition on Access to User Contacts Without Written Consent
- Unlawful for a covered entity to ask a user to share contacts or contact information about the user’s contacts unless the user and the contacts provide written consent.
3) Access, Correction, Deletion, and Portability of Covered Data
- Users may request:
- Access to their data and a list of third parties/service providers who received their data.
- A readable summary of data held/processed, including third-party transfer purposes.
- Correction of inaccuracies, deletion/de-identification of data, and notice to service providers/third parties to which data was transferred.
- Portable, machine-readable data (where feasible) that the data generated by the user and held by the entity.
- Providers must respond within 90 days of a verified request.
- Users may exercise these rights at least twice per 12 months, free of charge.
- Prohibits retaliation; selling or expensive services should not be impacted by a user exercising rights.
- For data like browsing or biometric data, the entity must delete within 60 days of collection.
4) Data Minimization, Retention, and Monetization
- Commercial data operators must limit collection/share to what is reasonably necessary to provide a requested service or fraud prevention.
- Data retention should be limited to what is reasonably necessary; data solely for security/fraud prevention cannot be used for operational purposes.
- Monetization of personal information is not considered reasonably necessary for service provision or security.
5) Consumer Choice and Control
- Requires prominent opt-out options for data collection on every unique website, app, or platform.
- Within two years after enactment, covered entities must take reasonable steps to enable users to delete the covered data directly.
6) Default Settings
- Terms of service may require user consent to transfer covered data to use a service (i.e., data transfer as a condition of service).
7) Minors’ Data
- For users under 18, entities may not collect, retain, or transfer their data to third parties without affirmative parental consent, where technically feasible.
8) Tracking Cookies and User Consent
- Commercial data operators cannot track cookies without user authorization; services must be provided to users whether or not they opt into tracking.
9) Transparency and Privacy Notice
- Requires a clear, concise privacy notice (1,000 words or less) detailing:
- What information is collected
- How it will be used
- Whether it will be sold or shared
10) Data Security and Breach Notification
- Operators must promptly notify users of data breaches and provide remedies (credit protection services, fraud alerts, and monitoring).
Enforcement and Remedies
Representative Provisions and Timeframes
- Response to data requests: within 90 days (Section 3(b)(1)).
- Opt-out and deletion rights: opt-out on every site; deletion capability within two years (Section 3(d)).
- Minor consent: affirmative parental consent required for users under 18 (Section 3(f)).
- Privacy notice: 1,000 words or less (Section 3(h)(1)).
- Annual data-sharing report: required if user permits sale (Section 3(h)(2)).
Potential Impact and Audience
Note: The bill is in early-stage committee consideration and may undergo substantial amendments before any floor consideration or passage.
Compiled from official sources — confirm details with the bill’s official record.
Sign in to ask a question.